Researchers Identify Four Bypass Techniques Against CHERI Compartmentalisation on Linux and BSD

Global: Researchers Identify Four Bypass Techniques Against CHERI Compartmentalisation on Linux and BSD

In a recent arXiv preprint, a team of security researchers detailed four distinct methods for bypassing the compartmentalisation mechanisms of the CHERI architecture on both Linux and BSD platforms. The study demonstrates that, while CHERI effectively mitigates many memory‑corruption attacks, its compartmentalisation layer can still be subverted by relatively simple bugs and exploits. The paper, posted on arXiv in January 2026, outlines the vulnerabilities, presents proof‑of‑concept code, and offers mitigation recommendations.

Background on Memory Corruption and CHERI

Memory‑corruption attacks have long plagued software systems, enabling adversaries to alter program control flow or access unauthorized data. Existing mitigation techniques, such as address space layout randomisation (ASLR) and stack canaries, provide limited protection. CHERI (Capability Hardware Enhanced RISC Instructions) introduces hardware‑enforced capabilities that bind pointers to specific memory regions and enforce access rights, offering a more comprehensive defense against such attacks.

Compartmentalisation in CHERI

Beyond pointer safety, CHERI implements compartmentalisation by dividing a binary into multiple components, each with restricted privileges. This design aligns with the principle of least privilege, aiming to isolate compromised code within a single compartment and prevent lateral movement across the system.

Bypassing Techniques

The authors identified four categories of bypass techniques that exploit implementation flaws in the way Linux and BSD integrate CHERI’s compartmentalisation. These techniques leverage subtle bugs in system call handling, misconfigured capability tables, and inadequate validation of inter‑compartment communication, allowing malicious code to elevate its privileges beyond the intended compartment boundaries.

Linux and BSD Findings

Testing on CHERI‑enabled Linux revealed that certain kernel‑level interfaces failed to enforce capability checks consistently, creating a pathway for code in a low‑privilege compartment to invoke privileged operations. Similarly, the BSD port exhibited weaknesses in its capability revocation logic, enabling an attacker to retain stale capabilities after a compartment transition, effectively bypassing isolation.

Proposed Mitigations

To address the identified gaps, the paper recommends stricter validation of capability metadata during system calls, enhanced auditing of compartment entry and exit points, and the introduction of automated testing suites that target compartmentalisation boundaries. The authors also suggest architectural refinements to the CHERI ISA that would make capability checks immutable once a compartment is entered.

Implications and Future Work

The findings underscore that robust pointer protection does not automatically guarantee effective compartmentalisation. By exposing concrete bypass scenarios, the research provides a roadmap for operating‑system developers to harden CHERI implementations. The authors conclude with a call for continued collaboration between hardware designers, OS developers, and the security research community to anticipate and mitigate emerging threats.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.